General
-
Target
5a3ac08cf1bdee0dfe30bcd306c5613a7526eda1a1eaec00d76f3681b25f8694
-
Size
152KB
-
Sample
220802-exb5lsbgdr
-
MD5
8e43bfd8ae22ff54542cdef5356f661a
-
SHA1
0254724e7eeed2a6a93ad34fa98088435727787f
-
SHA256
5a3ac08cf1bdee0dfe30bcd306c5613a7526eda1a1eaec00d76f3681b25f8694
-
SHA512
3605db8d6d139cdc05e872ca90347bf4d2bfeb7420fbfda4d92dbc082724c4b2b02a0a19cad7164f9cd3709b6fd8cb7f9833ed8b2ff45606cc3b81046fc110d7
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
5a3ac08cf1bdee0dfe30bcd306c5613a7526eda1a1eaec00d76f3681b25f8694
-
Size
152KB
-
MD5
8e43bfd8ae22ff54542cdef5356f661a
-
SHA1
0254724e7eeed2a6a93ad34fa98088435727787f
-
SHA256
5a3ac08cf1bdee0dfe30bcd306c5613a7526eda1a1eaec00d76f3681b25f8694
-
SHA512
3605db8d6d139cdc05e872ca90347bf4d2bfeb7420fbfda4d92dbc082724c4b2b02a0a19cad7164f9cd3709b6fd8cb7f9833ed8b2ff45606cc3b81046fc110d7
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-